认识各语言的入口特征及加壳后的识别判断
C++入口特征00408027 >/$ 55 push ebp00408028|.8BEC mov ebp,esp0040802A|.6A FF push -0x10040802C|.68 F0F14000 push C++.0040F1F000408031|.68 84AF4000 push C++.0040AF84 ;SE 处理程序安装00408036|.64:A1 00000000 mov eax,dword ptr fs:0040803C|.50 push eax0040803D|.64:8925 000000>mov dword ptr fs:,esp00408044|.83EC 58 sub esp,0x5800408047|.53 push ebx00408048|.56 push esi00408049|.57 push edi ;ntdll.7C9302280040804A|.8965 E8 mov ,esp0040804D|.FF15 E4F04000 call dword ptr ds:[<&KERNEL32.GetVersion>;kernel32.GetVersion00408053|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet00408055|.8AD4 mov dl,ah00408057|.8915 D06B4100 mov dword ptr ds:,edx ;ntdll.KiFastSystemCallRet0040805D|.8BC8 mov ecx,eax0040805F|.81E1 FF000000 and ecx,0xFF00408065|.890D CC6B4100 mov dword ptr ds:,ecx0040806B|.C1E1 08 shl ecx,0x8C++的入口函数GetVersionC++的字符串采用ASCII码查找C++的按钮事件采用查找SUB EAX,0A
汇编的入口 0040285E >/$ 6A 00 push 0x0 ; /pModule =NULL00402860|.E8 970B0000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA00402865|.A3 28544000 mov dword ptr ds:,eax0040286A|.E8 F50C0000 call <jmp.&comctl32.InitCommonControls>; 0040286F|.68 9D334000 push 汇编.0040339D ; /pTopLevelFilter = 汇编.0040339D00402874|.E8 F50B0000 call <jmp.&kernel32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter00402879|.6A 00 push 0x0 ; /lParam = NULL0040287B|.68 96284000 push 汇编.00402896 ; |DlgProc = 汇编.0040289600402880|.6A 00 push 0x0 ; |hOwner = NULL00402882|.6A 65 push 0x65 ; |pTemplate = 6500402884|.FF35 28544000 push dword ptr ds: ; |hInst = NULL0040288A|.E8 4B0C0000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA0040288F|.6A 00 push 0x0 ; /ExitCode = 000402891\.E8 480B0000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess 汇编的入口API函数 GetModuleHandleA汇编查找字符串使用ASCII码
易语言入口特征 004464D1 >/$ 55 push ebp004464D2|.8BEC mov ebp,esp004464D4|.6A FF push -0x1004464D6|.68 B0C14600push 易语言.0046C1B0004464DB|.68 DCAC4400push 易语言.0044ACDC ;SE 处理程序安装004464E0|.64:A1 0000000>mov eax,dword ptr fs:004464E6|.50 push eax004464E7|.64:8925 00000>mov dword ptr fs:,esp004464EE|.83EC 58 sub esp,0x58004464F1|.53 push ebx004464F2|.56 push esi004464F3|.57 push edi ;ntdll.7C930228004464F4|.8965 E8 mov ,esp004464F7|.FF15 98514600 call dword ptrds:[<&KERNEL32.GetVersion>; kernel32.GetVersion004464FD|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet 易语言入口API函数 GetVersion
VC8入口特征 00403A30 > $ E8 6E270000 call VC8.004061A300403A35 .^ E979FEFFFF jmp VC8.004038B300403A3A/$55 push ebp00403A3B|.8BEC mov ebp,esp00403A3D|.83EC 08 sub esp,0x800403A40|.897D FC mov ,edi ;ntdll.7C93022800403A43|.8975 F8 mov ,esi00403A46|.8B75 0C mov esi,00403A49|.8B7D 08 mov edi, ;VC8.<ModuleEntryPoint>00403A4C|.8B4D 10 mov ecx,00403A4F|.C1E9 07 shr ecx,0x7 VC8入口特征查找 GetStartupInfoWVC8查找字符串采用 Unicode码VC8的按钮事件采用查找SUB EAX,0A
VB入口特征 00401978 .- FF2518114000 jmp dword ptr ds:[<&MSVBVM60.#613>] ; msvbvm60.rtcVarStrFromVar0040197E .- FF2584104000 jmp dword ptr ds:[<&MSVBVM60.__vbaVarTst>;msvbvm60.__vbaVarTstEq00401984 .- FF257C104000 jmp dword ptr ds:[<&MSVBVM60.#528>] ; msvbvm60.rtcUpperCaseVar0040198A .- FF25A8104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_QueryInterface00401990 .- FF2578104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_AddRef00401996 .- FF259C104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>;msvbvm60.EVENT_SINK_Release0040199C $- FF2508114000 jmp dword ptr ds:[<&MSVBVM60.#100>] ; msvbvm60.ThunRTMain004019A2 00 db 00004019A3 00 db 00004019A4 > $ 68 5C284000 pushVB.0040285C ;ASCII "VB5!6&vb6chs.dll"004019A9 .E8 EEFFFFFFcall <jmp.&MSVBVM60.#100>004019AE .0000 add byte ptr ds:,al004019B0 .0000 add byte ptr ds:,al004019B2 .0000 add byte ptr ds:,al004019B4 .3000 xor byte ptr ds:,al004019B6 .0000 add byte ptr ds:,al VB入口特征查找函数 ThunRTMainVB 查找字符串时采用二进制字符串816C2404??000000
DLPHI入口
0045D408 > $ 55 push ebp0045D409 .8BEC mov ebp,esp0045D40B .83C4 F0 add esp,-0x100045D40E .B8 28D24500 mov eax,DELPHI.0045D2280045D413 .E8 6088FAFF call DELPHI.00405C780045D418 .A1 4CF14500 mov eax,dword ptr ds:0045D41D .8B00 mov eax,dword ptr ds:0045D41F .E8 08DFFFFF call DELPHI.0045B32C0045D424 .8B0D 40F24500 mov ecx,dword ptr ds: ;DELPHI.00460C040045D42A .A1 4CF14500 mov eax,dword ptr ds:0045D42F .8B00 mov eax,dword ptr ds:0045D431 .8B15 CCC84500 mov edx,dword ptr ds: ;DELPHI.0045C9180045D437 .E8 08DFFFFF call DELPHI.0045B3440045D43C .A1 4CF14500 mov eax,dword ptr ds:0045D441 .8B00 mov eax,dword ptr ds:0045D443 .E8 7CDFFFFF call DELPHI.0045B3C40045D448 .E8 2769FAFF call DELPHI.00403D740045D44D .8D40 00 lea eax,dword ptr ds: DELPHI入口特征 GetModuleHandleADELPHI查找按钮事件 右键--查找---查找二进制字符串740E8BD38B83????????FF93????????
谢谢楼主的分享 谢谢楼主总结,学习了 多谢分享,表示感谢 改了字体看上去舒服多了 多谢分享,新手实践的必备特征 谢谢楼主,学习了
学习了{:1_931:} 谢谢,脱壳后看到的都是这样?呵呵,验证去。 多谢分享,表示感谢 多谢分享,表示感谢
页:
[1]
2